MP.L2-3.8.6: Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media

📖 What This Means

This practice requires encrypting any digital media (like USB drives, hard drives, or cloud storage) that contains Controlled Unclassified Information (CUI) so unauthorized people can't read it if the media is lost or stolen. Think of it like putting a lock on a filing cabinet – even if someone gets the cabinet, they can't access the documents without the key. For example, if an employee loses an unencrypted USB drive with CUI during travel, anyone could access the data. But if it's encrypted, the data remains protected. Another example: Storing CUI in an unencrypted cloud folder exposes it to hackers, while encryption adds a critical layer of security.

🎯 Why It Matters

Unencrypted CUI on digital media is a top cause of data breaches in defense contracting. A 2022 DoD report found 63% of CUI leaks involved unencrypted portable devices. The average cost of a breach involving CUI exceeds $250,000 in investigation/remediation. Real-world example: A defense contractor lost an external hard drive with unencrypted technical drawings for a missile system during transit, leading to a $1.2M DoD fine. The CMMC requires this control because encryption is the last line of defense when physical controls fail. Even if media is lost/stolen, properly implemented crypto prevents data exposure.

✅ How to Implement

1. Enable encryption-at-rest for all storage services (e.g., AWS S3 SSE, Azure Storage Service Encryption)
2. Configure customer-managed keys (CMK) using AWS KMS or Azure Key Vault (avoid default platform-managed keys)
3. Apply encryption to backups/snapshots (e.g., AWS EBS snapshots with KMS encryption)
4. Enforce encryption policies via IAM (e.g., AWS S3 bucket policy denying unencrypted uploads)
5. Document encryption methods in cloud security plans
6. Test restoration from encrypted backups quarterly
7. Monitor for unencrypted resources with AWS Config or Azure Policy

⏱️

Estimated Effort

Implementation: 40-80 hours (2-3 weeks) for initial setup. Requires mid-level sysadmin skills. Ongoing: 2-4 hours/month for key rotation and monitoring.

📋 Evidence Examples

Encryption Policy Document

Format: PDF/DOCX

Frequency: Annual review

Contents: Approved algorithms, key management procedures, roles/responsibilities

Collection: Export from document management system

BitLocker Compliance Report

Format: CSV/PDF

Frequency: Monthly

Contents: Device names, encryption status, last check-in

Collection: Run 'Manage-bde -status' PowerShell script

Cloud Storage Encryption Screenshot

Format: PNG

Frequency: Per environment change

Contents: AWS S3 bucket properties showing SSE-KMS enabled

Collection: AWS Console screenshot

Decryption Test Results

Format: PDF

Frequency: Semi-annual

Contents: Date, tester name, media ID, successful recovery verification

Collection: Controlled test documentation

Encryption Training Records

Format: XLSX

Frequency: Annual

Contents: Employee names, training dates, quiz scores

Collection: LMS export

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For MP.L2-3.8.6 ("Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how CUI on media is protected throughout its lifecycle, including encryption, access controls, marking, transport procedures, sanitization methods, and accountability tracking. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"MP.L2-3.8.6 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to implement cryptographic mechanisms to protect the confidentiality of cui stored .... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"MP.L2-3.8.6 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to implement cryptographic mechanisms to protect the confidentiality of cui stored .... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"MP.L2-3.8.6 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Identify all removable media types within the CUI boundary
• Document media storage locations (on-site, off-site)
• Specify media sanitization and destruction methods
• Ensure this control covers all systems within your defined CUI boundary where implement cryptographic mechanisms to protect the confidentiality of cui stored on digital media applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 Media Protection Policy
📄 Media inventory database
📄 Certificates of destruction
📄 Transport chain-of-custody records
📄 Evidence artifacts specific to MP.L2-3.8.6
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will check for CUI markings on media, verify encryption is enabled, review the media inventory for completeness, and examine destruction certificates.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do we have a documented policy specifying encryption requirements for all digital media containing CUI?

✅ YES → Proceed to Q2

❌ NO → GAP: Draft policy using NIST SP 800-171 template. Complete within 30 days.

Remediation:

https://csrc.nist.gov/Projects/sp-800-171

Question 2: Are all workstations/servers handling CUI encrypted with FIPS-validated full-disk encryption?

✅ YES → Proceed to Q3

❌ NO → GAP: Deploy BitLocker/LUKS. Use PDQ Deploy for enterprise rollout (2-week timeline).

Remediation:

Microsoft BitLocker guide

Question 3: Are all removable media (USB drives, external HDDs) encrypted before storing CUI?

✅ YES → Proceed to Q4

❌ NO → GAP: Implement VeraCrypt with mandatory pre-use encryption. Block unencrypted USB via Group Policy (1-week fix).

Remediation:

VeraCrypt documentation

Question 4: Do we have quarterly verification that cloud storage containing CUI has encryption-at-rest enabled?

✅ YES → Proceed to Q5

❌ NO → GAP: Set up AWS Config rule 's3-bucket-server-side-encryption-enabled'. Implement within 1 week.

Remediation:

AWS Config managed rules

Question 5: Can we demonstrate successful decryption/recovery of CUI from backups during last test?

✅ YES → COMPLIANT

❌ NO → GAP: Conduct controlled recovery test immediately. Document results.

Remediation:

NIST SP 800-88 test procedures

⚠️ Common Mistakes (What Auditors Flag)

1. Encrypting data but storing keys on same media

Why this happens: Convenience over security

How to avoid: Always store keys separately (e.g., Active Directory, HSM)

2. Using deprecated algorithms (e.g., DES, RC4)

Why this happens: Legacy system dependencies

How to avoid: Enforce AES-256 via GPO/configuration management

3. No documentation of decryption procedures

Why this happens: Assuming IT staff 'just knows'

How to avoid: Maintain runbooks with tested recovery steps

4. Encrypting only some CUI media types

Why this happens: Overlooking backups or test environments

How to avoid: Inventory all media types and verify encryption

5. Cloud storage encrypted but with platform-managed keys

Why this happens: Default configurations

How to avoid: Always use customer-managed keys (CMK) in AWS/Azure

📚 Parent Policy

This practice is governed by the Media Protection Policy

View MP Policy →

📚 Related Controls

AC.L2-3.1.19 (Cryptographic protections for CUI in transit) SC.L2-3.13.11 (Employ FIPS-validated cryptography) MP.L2-3.8.7 (Media sanitization procedures)